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(57) A system includes a general synchronization 
module at the client site for operating within a first fire- 
wall and for examining first version information to deter- 
mine whether a first workspace element has been mod- 
ified. The system further includes a synchronization 
agent at a global sen/er for operating outside the first 
firewall and for forwarding to the general synchroniza- 
tion module second version information which indicates 
whether an independently-modifiable copy of the first 
workspace element has been modified. A synchroniza- 
tion-start module is maintained at the client site for op- 
erating within the first firewall and for securely initiating 
the general synchronization module and the synchroni- 
zation agent when predetermined criteria have been 
satisfied. The system further includes means for gener- 
ating a preferred versk^n from the first workspace ele- 
ment and from the copy by comparing the first version 
information and the second version information, and 
means for storing the preferred versbn at the first store 
and at the second store. 
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Description 

BACKGROUND OF THE iNVENTION 

[0001] This tnventbn relates generally to computer 
networks, and more particularly to a system and method 
for securely synchronizing multiple copies of a work- 
space element such as a file in a secure network. 
[0002] Data consistency is a significant concern for 
computer users. For example, when maintaining multi- 
ple independently-modiftabte copies of a document, a 
user risks using an outdated version. Further, by the 
time the user notices the inconsistency, interparty mis- 
communicatkyi or data k>ss may have resulted. The us- 
er must then spend more time attempting to reconcile 
the inconsistent verstons. 

[0003] The problem of data inconsistency is exacer- 
bated when multiple copies of a document are main- 
tained at different network locations. For example, due 
to network security systems such as conventional fire- 
wall technology, a user may have access only to a par- 
ticular one of these network kx:atk3ns. Without access 
to the other sites, the user cannot confirm that the ver- 
sion on the accessible site is the most recent draft. 
[0004] Therefore, a system and method are needed 
for providing users with data consistency, and more par- 
ticularly for synchronizing multiple copies of a work- 
space element such as a document in the secure net- 
work environment. 

[0005] Partk:ular and preferred aspects of the inven- 
tion are set out in the accompanying independent and 
dependent claims. Features of the dependent claims 
may be combined with those of the independent claims 
as appropriate and in combinations other than those ex- 
plicitly set out in the claims. 

SUMMARY OF THE INVENTION 

[0006] An embodiment of the invention provides a 
system and method for synchronizing multiple copies of 
a workspace element in a secure network environment. 
The secure network environment includes a global serv- 
er connected to multiple clients. Using the present sys- 
tem and method, the clients automatically synchronize 
workspace data between multiple sites, independent of 
whether the sites are protected by site firewalls. 
[0007] The present system includes a general syn- 
chronization module at the client site for operating within 
a first firewall and for examining first version information 
to detennine whether a first workspace element has 
been modified. The system further includes a synchro- 
nizatk>n agent at the global sender for operating outside 
the first firewall and for fonvarding to the general syn- 
chronization module second version information which 
indicates whether an independently-nrodifiable copy of 
the first workspace element has been modified. A syn- 
chronization-start module at the client site operates 
within the first firewall and initiates the general synchro- 



nization module and the synchronization agent when 
predetermined criteria have been satisfied. The system 
further includes means for generating a preferred ver- 
sion from the first workspace element and from the copy 
s by comparing the first version information and the sec- 
ond version information, and means for storing the pre- 
ferred version at the first store and at the second store. 
[0008] The system further handles the case when 
both the workspace element and the copy have been 
to modified independently since the last date and time of 
synch ronizatk)n. Accordingly, a content-based synchro- 
nization module performs a responsive action such as 
determined a preferred version or storing both the first 
workspace element and the copy at both the first store 
75 and at the second store. 

[0009] The present method includes the steps of gen- 
erating first examination results by examining first ver- 
skxi infonnatbn, which indk^ates whether a first work- 
space element stored at a first store within a firewall has 
been modified; and generating second examinatbn re- 
sults by examining second versk»^ information which in- 
dk:ates whether an independently-rrxxlifiable copy of 
the first workspace element, the copy being stored at a 
second store outside the firewall, has been modified. 
The present method further includes the steps of initiat- 
ing synchronization from within the firewall when prede- 
termined criteria have been satisfied; generating a pre- 
ferred versbn from the first workspace element and 
from the copy based on the first and second examination 
results; and storing the preferred version at the first store 
and at the second store. 

[0010] The system and method advantageously use 
a trusted third party to enable the synchronization of 
workspace data anrKxig multiple sites. Accordingly, a cli- 
ent user who maintains a work site, a home site, an off- 
site and the global server site can synchronize the work- 
space data or portions thereof among all four sites. Fur- 
ther, the predetermined criteria (which controls when the 
synchronizatbn-start module initiates synchronizatbn) 
may be set so that the general synchronization module 
synchronizes the workspace data upon user request, at 
predetermined times during the day such as while the 
user is commuting, or after a predetermined user action 
such as user log-off or user k>g-on. Because the system 
and method operate over the Internet, synch ronizatk^n 
can occur over any distance. Since synchronization is 
initiated from within the firewall, the typical firewall, 
which prevents in -bound commun cations, does not act 
as an impediment to workspace data synchronizatbn. 
Also, since the user's preferences may be previously 
set, the present system and method may operate unat- 
tended by the client user. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0011] Exemplary embodiments of the invention are 
descried hereinafter, by way of example only, with ref- 
erence to the accompanying drawings, in which: 
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FIG. 1 is a block diagram illustrating a secure data- 
syrtchronizing network in accordance with the 
present invention; 

FIG. 2 is a block diagram illustrating details of a FIG. 
1 service server. 

FIG. 3 is a block diagram illustrating details of the 
FIG. 1 desktop computer; 
FIG. 4 is a block diagram illustrating details of the 
FIG. 3 base system; 

FIG. 5 is a block diagram illustrating details of the 
FIG. 1 synchronization agent; and 
FIG. 6 is a flowchart illustrating a method for syn- 
chronizing multiple copies of a workspace element 
in a secure network. 

DETAILED DESCRIPTION 

[0012] FIG. 1 is a block diagram illustrating a secure 
data-synchronizing network 100, comprising a first site 
such as a remote computer terminal 105 coupled via a 
communtcatk)ns channel 110 such as the Internet to a 
global server 120. The global server 120 is in turn cou- 
pled via a communications channel 125 such as the In- 
ternet to a second site such as a corporate Local Area 
Network (LAN) 135. The global server 120 is protected 
by a global firewall 115, and the corporate LAN 135 is 
protected by a corporate firewall 130. 
[0013] The corporate LAN 135 includes a corporate 
signal bus 1 40 coupling the corporate firewall 130 to an 
e-mail server 1 45 having e-mail data 1 65, to a file server 
1 50 having file data 1 70, to a calendar server 1 55 having 
calendar data 175 and to a desktop computer 160 hav- 
ing user data 180. It will be appreciated that the e-mail 
data 1 65, file data 1 70, calendar data 1 75 and user data 
160 or portions thereof may be stored at different bca- 
tions such as locally on the desktop computer 1 60. It will 
be further appreciated that the e-mail data 165. file data 
1 70, calendar data 1 75 and user data 1 80 are exempla- 
ry and collectively referred to herein as ^rkspace da- 
ta" 1 85. Those skilled in the art will recognize that "work- 
space data" may include other types of data such as 
application programs. It will be further appreciated that 
the e-mail data 165, file data 170, calendar data 175 and 
user data 180 may each be divided into workspace el- 
ements, wherein each workspace element is kientified 
by particular version information 255 (described bebw 
with reference to FIG. 2). Accordingly, each e-mail, file, 
calendar, etc. may be referred to as "a workspace ele- 
ment in workspace data.' 

[0014] An independently nrKxiifiable copy of the work- 
space data 185, referred to herein as workspace data 
123, is stored on the global server 1 20 for easy access 
by a user from the remote terminal 105. Being a copy, 
the workspace data 123 includes independently modifi- 
able copies of each workspace element in workspace 
data 185 and an independently modifiable copy of ver- 
sion information 255 (FIG. 2), referred to herein as ver- 
sion informatbn 124. 



[0015] Network 100 further comprises synchroniza- 
tion means, which includes a base system 190 stored 
within the corporate LAN 135 and for example on the 
desktop computer 160 and further includes a syrrchro- 

5 nization agent 1 26 stored outskie the corporate firewall 
130 and preferably on the global server 120' The base 
system 1 90 and the synchronization agent 1 26 cooper- 
ate to synchronize the workspace data 185 with the 
workspace data 123. Generally, the base system 190 

10 manages the workspace data 185 within the corporate 
LAN 135 and the synchronizatk>n agent 126 manages 
the workspace data 1 23 within the global server 1 20. As 
described in greater detail bebw with reference to FIG. 
4. the base system 1 90 preferably initiates and controls 

^5 data synchronization. 

[0016] The remote terminal 105 may include a smart 
telephone or a Personal Data Assistant (PDA) such as 
the PalmPilot system by the U.S. Robotics, Inc. Al- 
though not shown, the remote terminal 1 05 may include 

20 a second base system similar to the base system 1 90. 
which is described with greater detail with reference to 
FIG. 4. Accordingly, the second base system on the re- 
mote terminal 105 would cooperate with the synchroni- 
zation agent 126 to synchronize the workspace data 

2S stored on the remote terminal 105 with the workspace 
data 123 stored on the global sender 120. As with the 
corporate LAN, the second base system on the remote 
terminal 105 would preferably initiate and control data 
synchronization with the global sender 1 20 for the same 

30 reasons discussed below. Workspace data on the re- 
mote terminal 105 would thus be synchronized with the 
workspace data 123 and with the workspace data 185. 
[0017] FIG. 2 is a bkx;k diagram illustrating details of 
a service server 200, wherein each of the e-mail server 

35 1 45. the file sender 1 50. the calendar server 1 55 and the 
desktop computer 160 is an instance thereof. Service 
server 200 includes a Central Processing Unit (CPU) 
205 such as a f^otorola Power PC® microprocessor or 
an Intel Pentium® microprocessor An input device 210 

40 such as a keyboard and mouse and an output device 
215 such as a Cathode Ray Tube (CRT) display are cou- 
pled via a signal bus 220 to CPU 205. A communicatk>ns 
interface 225 (such as an Ethernet port), a data storage 
device 230 (such as read only memory or a magnetic 

45 disk), and Random-Access Merrrary (RAM) 235 are fur- 
ther coupled via signal bus 220 to the CPU 205. 
[0018] An operating system 240 includes a program 
for controlling processing by the CPU 205. and is typi- 
cally stored in the data storage device 230 artd loaded 

so into the RAM 235 for execution. A sen/ice engine 245 
includes a program for performing a particular servkre 
such as maintaining an e-mail data base, a calendar da- 
ta base, a lxx>kmarks data base or another file data 
base, and may be also stored in the data storage devbe 

55 230 and loaded into the RAM 235 for execution. To per- 
form a sen^ice, the service engine 245 operates on serv- 
ice data 250 (e.g., the e-mail data 165, the file data 170. 
the calendar data 175 or the user data 180). which is 
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typically stored in the data storage device 250. The serv- 
ice data 250 includes version information 255 indicating 
the date and time of the last modification. The service 
engine 245 operates to update the versbn information 
255 whenever modifications are made. It will be appre- 
ciated that the portion of memory in the cbta storage 
device 250 which contains the service data 250 is re- 
ferred to as the service 'store.* 
[0019] FIG. 3 ts a block diagram illustrating details of 
the desktop computer 160, which includes a CPU 305. 
an input device 310, an output devkie 315, a communi- 
cations interface 325, a data storage device 330 and 
RAM 335, each coupled to a signal bus 320. 
[0020] An operating system 340 includes a program 
for controlling processing by the CPU 305, and is typi- 
cally stored in the data storage device 330 and ioaded 
into the RAM 335 for execution. A desktop servk;e en- 
gine 345 (i.e., a partk:ular service engine 245, FIG. 2) 
includes a service program for managing user data 180 
(i.e., particular service data 250, FIG. 2) which includes 
version information 350 (i.e.. particular version informa- 
tion 255, FIG. 2). The desktop sen/ice engine 345 may 
be also stored In the data storage device 330 and baded 
into the RAM 335 for executbn. The user data 180 may 
be stored in the data storage device 330. As stated 
above with reference to FIG. 1, the base system 190 
operates to synchronize the workspace data 185 (which 
includes user data 180) with the workspace data 123. 
The base system 190 may be also stored in the data 
storage device 330 and baded into the RAM 335 for ex- 
ecution. 

[0021] FIG. 4 is a block diagram illustrating details of 
the base system 190, which includes a communications 
module 405. a user interface module 41 0, a locator mod- 
ule 415. a synchronizatbn-start ("synch-start* ) module 
420, a general synchronization module 425 and a con- 
tent-based synchronization module 430. For simplicity, 
each module is illustrated as communicating with one 
another via a signal bus 440. 

[0022] The communications module 405 includes 
routines for compressing data, and routines for commu- 
nicating via the communications interface 325 (FIG. 3) 
with the synchronization agent 126 (FIG. 1). The com- 
munications module 405 may further include routines for 
applying Secure Socket Layer (SSL) technobgy and us- 
er bentification and authentication techniques (i.e., dig- 
ital certificates) to establish a secure communicatbn 
channel through the corporate firewall 1 30 and through 
the gbbal firewall 126. Examples of communications 
modules 405 nr^ay include TCP/IP stacks or the Apple- 
Talk® protocol. 

[0023] The user interface 410 includes routines for 
communicating with a user, and may include a conven- 
tional Graphical User Interface (GUI). The user interface 
410 operates in coordination with the other desktop 
computer 160 components as described herein. , 
[0024] The bcator module 415 includes routines for 
identifying the memory locations of the worl^space ele- 



ments in the workspace data 185 and the memory loca- 
tions of the workspace elements in the workspace data 
123. Workspace element merrory location bentiftcation 
may be implemented using intelligent software, i.e.. pre- 

B set memory addresses or the system's registry, or using 
dialogue boxes to query a user. Accordingly, the locator 
module 415 determines the merTK>ry addresses of the 
workspace elements in the e-nnail data 165, the work- 
space elements in the file data 170, the workspace ele- 

10 ments in the calendar data 1 75 and the workspace ele- 
ments in the user data 180 as well as the memory ad- 
dresses of the corresponding workspace elements in 
the workspace data 123. It will be appreciated that the 
bcator rrxxJule 415 may perform workspace element 

»5 memory location bentification upon system boot-up or 
after each communicatbn with the global server 1 20 to 
nr^intain updated memory locations of workspace ele- 
ments. 

[0025] The synchronization-start module 420 in- 

20 dudes routines for determining when to initiate synchro- 
nization of workspace data 123 and workspace data 
185. For example, the synch ronizatbn-start module 420 
may initiate data synchronization upon user request, at 
a particular time of day, after a predetermined time pe- 

25 riod passes, after a predetermined number of changes, 
after a user action such as user bg-off or upon like cri- 
teria. The synch ronizatbn-start module 420 initiates da- 
ta synchronization by instructing the general synchroni- 
zation module 425 to begin executbn of its routines. It 

30 will be appreciated that communications with synchro- 
nization agent 1 26 preferably initiate from within the cor- 
porate LAN 11 35. because the typical corporate firewall 
1 30 prevents in-bound communications and albws out- 
bound communicatbns. 

35 [0026] The general synchronization noodule 425 in- 
cludes routines for requesting version infomr^ation 124 
from the synchronization agent 126 (FIG. 1) and rou- 
tines for comparing the versbn information 255 against 
a last synchronization signature 435 such as a last syn- 

"fo chronization date and time to determine which versbns 
have been modified. The general synchronization rrxxi- 
ule 425 further includes routines for comparing the ver- 
sbn information 1 24 and the versbn information 255 to 
determine if only one or both versions of a particular 

45 workspace elerrient have been nrKxJif ied and routines for 
performing an appropriate synchronizing responsive ac- 
tion. Appropriate synchronizing responsive actions may 
include forwarding the modified version (as the pre- 
ferred versbn) of a workspace element in workspace 

50 data 1 85 or forwarding just a compilation of the changes 
to the other store(s). Other appropriate synchronizing 
responsive actions may include, if reconciliatbn be- 
tween two modified versions is needed, then instructing 
the content-based synchronization nrKxJule 430 to exe- 

^ cute its routines whch are described bebw. 

[0027] It will be appreciated that the synchronization 
agent 1 26 preferably examines the version information 
124 and forwards only the version information 124 de- 
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termined to be modified since the last synchronization 
signature 435. This technique makes efficient use of 
processor power and avoids transferring unnecessary 
data across the communications channel 1 25. The gen- 
eral synchronization nrKxJule 425 in the corporate LAN 
135 accordingly compares the received version infor- 
mation 124 with the version tnfonmation 255 to deter- 
mine if reconciliation is needed. Upon completion of the 
data synchronization, the general synchronization mod- 
ule 425 updates the last synchronization signature 435. 
[0028] The content-based synchronization module 
430 includes routines for reconciling two or more mod- 
ified versions in workspace data 1 23. 1 85 of the same 
workspace element. For example, rf the original and the 
copy of a user workspace element have both been mod- 
ified independently since the last . synch ronizatkxi, the 
content-based synchronization module 430 determines 
the appropriate responsive action. The content-based 
synchronization module 430 may request a user to se- 
lect the preferred one of the modified versions or may 
respond based on preset preferences, i.e.. by storing 
both versions in both stores or by integrating the chang- 
es into a single preferred version which replaces each 
modified version at both stores. 
[0029] FIG. 5 is a block diagram illustrating details of 
the synchronization agent 126, which includes a com- 
munications module 505 (similar to the communications 
module 405 described above with reference to FIG. 4) 
and a general synchronization module 510 (similar to 
the general synchronization module 425 described 
above also with reference to FIG. 4). The communica- 
tions module 505 includes routines for compressing da- 
ta, and routines for communicating via the communica- 
tions channel 125 with the base system 190. The com- 
munications tr^odule 505 may further include routines for 
establishing a secure communications channel through 
the global firewall 126 and through the corporate firewall 
130. 

[0030] The general synchronization module 510 in- 
cludes routines for comparing the version information 
124 with the last synchronization signature 435, and 
routines for forwarding to the general synchronization 
module 425 version information 124 determined to be 
modified. The general synchronization module 51 0 may 
either maintain its own last synchronization signature 
435 copy (not shown). Altematrvety. the request to syn- 
chronize from the base system 1 90 nnay include a copy 
of the last synchronization signature 435. The general 
synchronization module 510 further includes routines 
for receiving prefen'ed versions of workspace data 185 
workspace elements from the general synchronization 
module 425, and routines for forwarding preferred ver- 
sions of workspace data 1 23 workspace elements to the 
general synchronization rruxiule 425. 
[0031] FIG. 6 is a flowchart illustrating a method 600 
for synchronizing multiple copies of workspace, data 
123, 185 in a secure network 100. Method 600 begins 
with kx:dtor rruxJule 41 5 in step 605 identifying the mem- 
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ory locatbns of the workspace elements in workspace 
data 123, 185. As stated at>ove. workspace element 
memory kx:atk:>n Identification may be implemented us- 
ing intelligent software or dialogue boxes. The user in- 
5 terface module 410 in step 610 enables selection of the 
workspace elements in workspace data 123, 185 to be 
synchronized by the general synchronization module 
425. 

[0032] The synchronizatk:>n-start module 420 in step 

10 615 determines whether predetermined criteria have 
been met which indicate that synchronization ot the 
workspace elements selected in step 610 should start. 
If not, then method 600 loops back to step 615. Other- 
wise, the communications module 405 and communica- 

15 tions module 505 in step 617 establish a secure com- 
municatbns channel between the gk>bal server 120 and 
the desktop computer 1 60. The general synchronization 
module 510 in step 620 compares the version informa- 
tion 1 24 of each of the selected workspace elements in 

20 workspace data 123 against the last synch ronizatkwi 
signature 435 to determine modified workspace ele- 
ments, and forwards the version informatkxi 124 of 
workspace elements determined to be modified to the 
general synchronization nrodule 425. Further, the gen- 

2S eral synchronization module 425 in step 620 compares 
the version information 255 of each selected workspace 
element in the workspace data 185 against the last syn- 
chronization signature 435 to kx:ate modified work- 
space elements. In this embodiment, a workspace ele- 

30 ment has been modified if the date and time of last mod- 
ification is after the date and time of last synchronization. 

[0033] If no modified workspace elements in work- 
space data 123 or in workspace data 185 are located, 

35 then the general synch ronizatkjn modules 425 and 510 
in step 650 update the last synch ronizatbn signature 
435 and method 600 ends. Otherwise, the general syn- 
chronization module 425 in step 625 determines wheth- 
er more than one version of the same workspace ele- 

40 ment has been modified since the last synchronization. 
[0034] If only one version has been modified, then the 
corresponding general synchronization module 425 or 
510 in step 630 forwards the updated preferred versbn 
of the workspace element to the other store, and then 

45 in step 635 determines whether all workspace elements 
selected in step 610 have been examined. If so, then 
method 600 jumps to step 650. Otherwise, then method 
600 returns to step 620. 

[0035] If more than one versbn has been rruxiified, 
50 then the general synchronization nriodule 425 in step 
640 instructs the content-based synchronization mod- 
ule 430 to reconcile the nrKxJified versions. Reconcilia- 
tion may include requesting instmctions from the user 
or, based on preselected preferences, performing re- 
55 sponsive actkuns such as storing both versions at both 
stores. 

[0036] General synchronization module 425, 510 in 
step 645 sends the preferred version of the workspace 
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element or just a compilation of the changes to the other 
store. That is, if the preferred version is a workspace 
element in the workspace data 185. then general syn- 
chronization module 425 sends the preferred versbn or 
the changes to general synchronization module 510 to 
update the outdated workspace element in the work- 
space data 123. If the preferred version is a workspace 
element in the workspace data 123. then the general 
synchronization module 510 sends the preferred ver- 
sion or the changes to the general synchronization mod- 
ule 425 to update the outdated workspace element in 
the workspace data 1 85. Method 600 then jumps to step 
635. 

[0037] The foregoing description of the preferred em- 
bodiments of the invention is by way of example only, 
and other variations of the above-described embodi- 
ments and methods are provided by the present inven- 
tion. For example, although the global server 120 is il- 
lustrated as a single device, the global server 120 may 
include several computers networked together. Al- 
though not described in great detail, the remote terminal 
105 can synchronize copies of workspace elements 
stored on it with workspace elements of workspace data 
1 23 stored on the gkDbal server 1 20. Components of this 
invent bn may be implemented using a programmed 
general purpose digital computer, using application spe- 
cific integrated circuits, or using a network of intercon- 
nected conventional components and circuits. The em- 
bodiments described herein have been presented for 
purposes of illustration and are not intended to be ex- 
haustive or limiting. Many variations and modifications 
are possible in light of the foregoing teaching. 



Claims 

1 . A computer-based method comprising the steps of: 

(a) generating first examtr^tion results from 
first version informatbn which indicates wheth- 
er a first workspace element stored at a first 
store within a firewall has been modified; 

(b) generating second examinatksn results from 
second version information which indicates 
whether an independently-modifiable copy of 
the first workspace element has been modified, 
the copy being stored at a second store outside 
the firewall; 

(c) initiating steps (a) and (b) from within the 
firewall when predetermined criteria have been 
satisfied; 

(d) generating a preferred version from the first 
workspace element and from the copy based 
on the first and second examination results; 
and 

(e) storing the preferred version at the first store 
and at the second store. 



2. The method of claim 1 wherein the second store is 
on a global server outside the firewall and which is 
protected by a global firewall. 

s 3. The method of claim 1 or claim 2 wherein the first 
version information includes the date and time the 
first workspace element was last modified and the 
second verskDn information includes the date and 
time the copy was last rrKxiified. 

4. The method of claim 3 wherein generating the first 
examination results includes the step of comparing 
the first versbn information against a date and time 
of last synchronization. 

5. The method of claim 3 or claim 4 wherein generat- 
ing the second examination results includes the 
step of comparing the second version informatbn 
against a date and time of last synchronization. 

6. The method of any preceding claim further compris- 
ing, before generating the first examination results, 
the step of updating the first version information 
whenever the first workspace element is modified. 

7. The method of any preceding claim further compris- 
ing, before generating the second examination re- 
sults, the step of updating the second version infor- 
nnation whenever the copy is modified. 

8. The method of any preceding claim wherein if only 
one of the first workspace element and the copy has 
been modified, then the step of generating includes 
selecting the one as the preferred version. 

9. The method of any preceding claim further compris- 
ing the step of locating the first workspace element, 
the first versbn information, the copy and the sec- 
ond version information. 

10. A system comprising: 

a general synch ronizatbn module for operating 
within a first firewall and for examining first ver- 
sion inforn^tion to determine whether a first 
workspace element has been modified; 
a synchronization agent for operating outside 
the first firewall and for forwarding to the gen- 
eral synchronization module second versk>n in- 
formation which indicates whether an inde- 
pendently-modifiable cc^y of the first work- 
space element has been modified; 
a synchronization-start module for operating 
within the first firewall and for initiating the gen- 
eral synchronization module and the synchro- 
nization agent when predetermined criteria 
have been satisfied; 

means for generating a preferred version from 
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the first workspace element and from the copy 
by comparing the first version infomiation and 
the second version information; and 
means for storing the preferred version at the 
first store and at the second store. 

11. The system of claim 10 further comprising a com- 
muntcatbns module for communicating through the 
first firewall. 

1 2. The system of claim 1 0 or claim 1 1 wherein the syn- 
chronization agent and the second store are on a 
global server which is protected by a global firewall. 

13. The system of claim 12 further comprising a com- 
municatbns module forcomrnunicating through the 
first firewall and through the global firewall. 

14. The system of any one of claims 10 to 13 wherein 
the first version information includes the date and 
time the first workspace element was last modified 
and the second version infornr^tion includes the 
date and time the copy was last modified. 

15. The system of claim 14 wherein the general syn- 
chronization module compares the first version in- 
formation against a date and lime of last synchro- 
nization. 

1 6. The system of claim 1 4 or claim 1 5 wherein the syn- 
chronization agent compares the second versk>n In* 
fomnation against the date and time ot last synchro- 
nization, 

17. The system of any one of claims 10 to 16 further 
comprising means for updating the first version in- 
formation whenever the first workspace element is 
modified- 

18. The system of any one of claims 10 to 17 further 
comprising means for updating the second version 
information whenever the copy is nr>odified. 

19. The system of any one of claims 10 to 18 wherein 
if only one of the first workspace element and the 
copy has been nxxlified, then the means for gener- 
ating selects the one as the preferred version. 

20. The system of any one of clain^s 10 to 19 further 
comprising a locator module for locating the first 
store, the first workspace element, the first version 
information, the second store, the copy and the sec- 
ond version information. 

21. A system comprising: 

first means for generating first examination re- 
sults from first version information which indi- 



cates whether a first workspace element stored 
at a first store within a firewall has been rnodi- 
fied; 

second means for generating second examina- 
s tion results from second version information 

which indicates whether an independently- 
modifiable copy of the first workspace element 
has been nrKxJified. the copy being stored at a 
second store outside the firewall; 
fo means for initiating the first and second means 

from within the firewall when predetermined cri- 
teria have been satisfied; 
means for generating a preferred version from 
the first workspace element and from the copy 
based on the first and second examination re- 
sults; and 

means for storing the preferred version at the 
first store and at the second store. 

20 22. A computer-readable storage medium storing pro- 
gram code for causing a computer to perform the 
steps of: 

(a) generating first examination results from 
2S first version information whch indicates wheth- 
er a first workspace element stored at a first 
store within a firewall has been modified; 

(b) generating second examination results from 
second version information which indicates 

30 whether an independently-modifiable copy of 

the first workspace element has been modified, 
the copy being stored at a second store outsde 
the firewall; 

(c) initiating steps (a) and (b) from within the 
3S firewall when predetermined criteria have been 

satisfied; 

(d) generating a preferred version from the first 
workspace element and from the copy based 
on the first and second examination results; 

40 and 

(e) storing the preferred versbn at the first store 
and at the second store. 

23. A computer-based method comprising the steps of: 

45 

(a) generating first examinatkxi results from 
first versbn information which indicates wheth- 
er a first workspace elennent stored at a first 
store within a firewall has been modified; 
50 (b) generating second examination results from 

second version information whk:h indicates 
whether an independently-rrxxiifiable copy of 
the first workspace element has been nrxxfified, 
the copy being stored at a second store outside 
55 the firewall; 

(c) initiating steps (a) and (b) from within the 
firewall when predetemntned criteria have been 
satisfied; 
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(d) determining based on the first and second 
examination results that both the first work- 
space element and the copy have been modi- 
fied; and 

(e) storing both the first workspace element and 
the copy at the first store and at the second 
store. 



tween the gbbal sen/er and the remote cli- 
ent. 



24. A system comprising: 

first means for generating first examination re- 
sults from first version information whk;h indi- 
cates whether a first workspace element stored 
at a first store within a firewall has bean modi- 
fied: 

second means for generating second examina- 
tion results from second version information 
which indicates whether an independently- 
modifiable copy of the first workspace element 
has been modified, the copy being stored at a 
second store outside the firewall; 
means for initiating the first and second means 
from within the firewall when predetermined cri- 
teria have been satisfied; 
means for determining based on the first and 
second examination results that both the first 
workspace element and the copy have been 
modified; and 

means for storing both the first file and the copy 
at the first store and at the second store. 
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25. A system comprising: 



a gbbal sen/er for operating outside a firewall 
and including 



35 



memory for storing first workspace data 
and corresponding first version informa- 
tion; and 

a synchronization agent for managing the 
first workspace data and the correspond- 
ing first version information and for com- 
municating with remote clients; and 



40 



a renr>ote client for operating within the firewall 
and including 



45 



memory for storing second workspace da- 
ta and corresponding second version infor- 
mation; 50 
means for cooperating with the synchroni- 
zation agent to synchronize the first work- 
space data with the second workspace da- 
ta by examining the first versk>n informa- 
tbn and the second version information; 55 
and 

a synchronization-start nrxxJule for initiat- 
ing workspace data synchronization be- 
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